Comment on Is this mail something I should be concerned about?
rtxn@lemmy.world 1 week ago
I can’t believe it. The incident has actually been reported!
I don't use Caddy, but it seems like it tried to generate and write a TLS certificate into `/usr/local`, but didn't have the necessary permissions. Is Caddy running in a container?
sugar_in_your_tea@sh.itjust.works 1 week ago
Caddy should never run sudo IMO, I think it’s also a software bug.
dgdft@lemmy.world 1 week ago
What would be the correct way for caddy to run actions like this that require elevated permissions, in your view?
sugar_in_your_tea@sh.itjust.works 1 week ago
Don’t require elevated permissions. Either grant the user it runs as permission to that dir, or instruct it to use a different dir that it has access to. Services should have the least permissions possible.
dgdft@lemmy.world 1 week ago
That’s how it already works — Caddy doesn’t require elevated privileges in general. You can toss a binary + config + certs anywhere in the homedir and it’ll go fine if you bind to a non-privileged port.
But users want software to do stuff like help set up certs and serve on ports 80 & 443, so what better option is there than to limit scope of execution by doing pinhole actions with sudo?